Posts about snowden

Here at Davos, I just left a media conversation with Brazilian President Dilma Rousseff at which I asked two questions relevant to the internet.

First, I asked under what circumstances she would consider granting asylum to Edward Snowden. She did not answer that question directly but said that the Brazilian government “has not been addressed” regarding an application for asylum, “therefore since I cannot possibly contemplate such a request you are working under a mistaken premise. The request was never formally submitted.” Interpret the subtleties of that as you may.

I also asked about controversial plans to require technology companies to store Brazilians’ data in Brazil, seeking her reaction to criticism that this will lead to a balkanized internet. She responded strictly in the context of criminal prosecution, saying that in an investigation into money laundering her justice department was denied access “precisely because it ran counter to the legislation of the country where the data was stored.”

“We cannot possibly accept that interference about data,” she continued. “It’s about our sovereignty…. We cannot find ourselves subject to the laws that prevail in third-party countries.” And then she added: “A compromise agreement is always possible.”

A few observations:

First, holding citizens’ data in Brazil makes it easier for the authorities to get data on those citizens for reasons good or bad.

Next, I’m surprised that she did not use this as an opportunity to continue her complaints about U.S. surveillance of Brazilian entities.

Instead, she put this as a matter of Brazilian sovereignty. That’s blunt but troubling. I’ve argued before that no nation should be able to claim sovereignty over the net.

If Brazil succeeds in imposing this data requirement, then it represents the further balkanization of the net. Brazil ends up with its own net, Iran does too, and so does China. The good-guy argument doesn’t wash for the architecture and precedent set by any good guy can be used by any bad guy.

Note also this week that Microsoft said it would honor customers’ requests to hold their data outside of the U.S. and the prying eyes of the NSA. At a practical level, it’s not hard to imagine that working for enterprise data; here at Davos, Salesforce.com’s Marc Benioff said his company can show a client the building and the rack where its data is held. But for consumer services, it is hard to imagine how, say, Bing could store, say, your search history outside the U.S. but mine inside.

And apart from those practical considerations, other tech executives said yesterday at Davos that the U.S. FISA court can still require a technology company to hand over data that is under its control, no matter whether that data is held in the U.S. or abroad.

This is a show of shadow puppets but one that could have serious, injurious impact on the net.

Back to Rousseff: The media conversation was to be off the record but after it was over she said that everything she said could be used on the record.

An odd event, it was. Asked one question about the economy of Brazil, she filibustered for half an hour, sounding — in the observation of another journalist — like a Chinese party official outlining the newest five-year plan.

Here’s a post I wrote for the Guardian arguing that the primary issue with the NSA is not privacy but government overreach and oversight.

I celebrate Judge Richard J. Leon’s opinion that the government’s mass collection of communications metadata is “almost Orewellian” and I decry Judge William H. Pauley III’s decision since that the NSA’s collection is both effective and legally perfectly peachy.

But I worry that the judges — as well as many commentators and Edward Snowden himself — may be debating on the wrong plane. I see some danger in arguing the case as a matter of privacy because I fear that could have serious impact on our concept of knowledge, of what is allowed to be known and thus of freedom of speech. Instead, I think this is an argument about authority — not so much what government (or anyone else) is allowed to know but what government, holding unique powers, is allowed to do with what it knows.

Indeed, the Fourth Amendment, which is often called upon in this argument, is explicitly about controlling authority:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

In the search for a legally protected right to privacy in the United States, begun with Brandeis and Warren in 1890, the Fourth Amendment has been interpreted as affording privacy protection as have the First Amendment (freedom of belief) and the Fifth (freedom against self-incrimination). In each case, though, the right is not so much for something — privacy — as against something — namely, government abuse.

Yet we continue to hold the NSA debate around whether communications metadata is public or private. In the past, such data was presumed to be public because once it was known by a third party, it could no longer be claimed as private. The information on an envelope — metadata to the contents inside: sender and recipient — must be known by a third parties along the way, mail carriers and sorters, to get to its destination. So it is not private. This same theory was applied to the telephone as the phone company has to know who’s placing and who’s receiving a call to complete it. Thus the government says it can seek such public information without affecting privacy.

Judge Leon argues, with insight, that scale affects the revelatory impact of metadata as we now use phones to do so much more than make calls:

Put simply, people in 2013 have an entirely different relationship with phones than they did thirty-four years ago…. Records that once would have revealed a few scattered tiles of information about a person now reveal an entire mosaic — a vibrant and constantly updating picture of the person’s life.

Yes, but my fear with Leon’s argument is that once we we say some amount of data is too much to have, then we will end up debating the line around too much knowledge and that is a line I never want to see drawn. If we start to say that bad things can happen merely if knowledge exists, then too soon we fall into the trap of controlling the extent of knowledge — who may know what and how much they may know and thus who may say what to whom. That is the basis of censorship and ultimately tyranny.

I also fear the impact of Leon’s argument on the notion of publicness. Once knowledge is public, it becomes a public good and the person who put it there does not gain the right to somehow withdraw it because of who ends up holding it or what they may do with it. This is why I object to European Commission Vice-President Viviane Reding’s notion of a right to be forgotten — for that gives someone the right to tell others what they may not know. I also object to the idea that there should be a presumption of privacy in public, for that would harm the journalist’s — that is to say, anyone’s — ability to report on what they witness in public, especially acts by public officials. It could also affect the ability of researchers to collect data and find unforseen connections and correlations.

Think of privacy this way: When I tell you something about myself, that fact is then public to that extent. What happens to it is now out of my hands; it is in yours. Thus, in Public Parts, I defined privacy as an ethic of knowing someone else’s information (and whether sharing it further could harm someone) and publicness as an ethic of sharing your own information (and whether doing so could help someone).

When I researched Public Parts, danah boyd sat me down and explained how I should understand the gathering versus the use of information.

“Privacy,” she says, “isn’t just about controlling the access to information but controlling how it’s used, how it’s interpreted…. If you walk into my office applying for a job, with one quick look I’m going to be able to get a decent sense of your gender, your race, your age.” Antidiscrimination law doesn’t forbid her from knowing these bits of information about me. Instead, it forbids her from using them against me in hiring. Of course, she could still deny me the job because of my gray hair. But if she is caught in a pattern of discriminating against applicants on the basis of age, she can be sued.

boyd pointed out an important consequence of restricting use: “If you can’t use the information, it makes a lot less sense to try to find ways to access it.”

So what we should be restricting — with legislation and open oversight by courts, Congress, the press, and ultimately the people — is the NSA’s ability to seek and use information against anyone — citizen or foreigner — without documented suspicion of a crime, due process, and a legal warrant. But don’t we already have that: Isn’t that what the Fourth Amendment prescribes? Well, of course, this is how we end up arguing whether collection of every bit of information my phone provides — whom I talk with and where I go and what I do when — is just collecting data or is the equivalent of searching me or surveilling my every move. Government should not be able to ask for that information unless it has due and just cause to. That surveillance of the innocent is government’s overreach of its authority.

But next we end up asking whether that data should be stored anywhere — whether government can decree that phone or internet or credit card companies should hold onto data so government could ask for it. That, I believe, should be governed by a separate set of principles, consumer principles that consider the benefits and risks to me for allowing such data to be held and that give me transparency into what is being done and reasonable control over it. That does not and cannot mean that I can exercise full control over any data to which I’m a party, for data is produced by interactions among parties, each of whom has interests and rights.

We should have this discussion on a level of principles. The best example of that: If our First Class mail carried by the US Postal Service is protected from government search except with a warrant, then all our private communication — by email, direct message, chat, Skype, or any invention to come — should receive similar protection. If metadata at a large scale — phone data — is problematic for government to hold then shouldn’t there be limits on it at a small scale — the Post Office (which is now photographing and logging every item it handles)? The problem is that these laws and cases were written to a technology — physical mail or POTS — when they should be written to a principle.

It is also important not to presume that metadata — or Big Data — is bad and dangerous any more than it is right to assume that technology is bad just because it could be misused. I enter into a transaction with Google’s Waze allowing it to know where I live and work so I can get the traffic between those points every day. I allow Googe to retain my searches — it’s easy to use incognito mode instead — because I value more personally relevant search results. I have been arguing that my local newspaper should gather signals about me as Google does so it could give me less noise and more relevance. I understand that Target has to communicate my debit card and pin data to complete a transaction but I expect them to hold that information securely. I also think that my cancer hospital, Sloan-Kettering, should collect data about how many penises — including mine — still function properly after prostate surgery there because that information and associated metadata about surgeons and age and other conditions could be valuable to the patients who follow. Of course, I expect that data to be held anonymously.

Each of these transactions enables the collection and use of data but is governed by sets of principles that take into account the transactors’ interests and rights and responsibilities, and those principles should be made public so customers can make decisions based on them. (See Doc Searls’ vendor relationship management as an attempt to codify that.)

Government’s access to that data must be determined, in turn, by a separate and much more stringent set of laws born of the principles set forth in the Bill of Rights and built with the knowledge that government has the means to use our information against us, in secret. Does the NSA’s mass collection, analysis, and use of communications metadata violate the Fourth Amendment? I think it does because it acts as surveillance over innocent citizens, treating all of us as criminals in government’s dragnet without probable cause or due process. Or as Jay Rosen puts it: “My liberty is being violated because ‘someone has the power to do so should they choose.’ Thus: It’s not privacy; it’s freedom.”

Privacy is important. It needs protection. But the primary issue here isn’t privacy. Nor is it the existence of any technology or of data. The issue with the NSA in all its activities revealed by Edward Snowden — not just the collection of phone metadata but also the wholesale hoovering of communication on the internet, the creation of backdoors in technology and other efforts to subvert security, the spying on other nations’ officials and companies — is government overreach and the absence of oversight. I am less concerned with what government knows about me than what we don’t know about government.

It has been said that privacy is dead. Not so. It’s secrecy that is dying. Openness will kill it.

American and British spies undermined the secrecy and security of everyone using the internet with their efforts to foil encryption. Then Edward Snowden foiled them by revealing what is perhaps (though we’ll never know) their greatest secret.

When I worried on Twitter that we could not trust encryption now, technologist Lauren Weinstein responded with assurances that it would be difficult to hide back doors in commonly used PGP encryption — because it is open source.

Secrecy is under dire threat but don’t confuse that with privacy. “All human beings have three lives: public, private, and secret,” Gabriel Garcí­a Márquez tells his biographer. “Secrecy is what is known, but not to everyone. Privacy is what allows us to keep what we know to ourselves,” Jill Lepore explains in The New Yorker. “Privacy is consensual where secrecy is not,” write Carol Warren and Barbara Laslett in the Journal of Social Issues. Think of it this way: Privacy is what we keep to ourselves. Secrecy is what is kept from us. Privacy is a right claimed by citizens. Secrecy is a privilege claimed by government.

It’s often said that the internet is a threat to privacy, but on the whole I argue it is not much more of a threat than a gossipy friend or a nosy neighbor, a slip of the tongue or of the email “send” button. Privacy is certainly put at risk when we can no longer trust that our communication, even encrypted, are safe from government’s spying eyes. But privacy has many protectors. And we all have one sure vault for privacy: our own thoughts. Even if the government were capable of mind-reading, ProPublica argues in an essay explaining its reason to join the Snowden story, the fact of it “would have to be known.”

The agglomeration of data that makes us fear for our privacy is also what makes it possible for one doubting soul, one weak link — one Manning or Snowden — to learn secrets. The speed of data that makes us fret over the the devaluation of facts is also what makes it possible for journalists’ facts to spread before government can stop them. The essence of the Snowden story, then, isn’t government’s threat to privacy so much as government’s loss of secrecy.

Oh, it will take a great deal for government to learn that lesson. Its first response is to try to match a loss of secrecy with greater secrecy, with a war on the agents of openness: whistleblowers and journalists and news organizations. President Obama had the opportunity to meet Snowden’s revelations — redacted responsibly by the Guardian — with embarrassment, apology, and a vow to make good on his promise of transparency. He failed.

But the agents of openness will continue to wage their war on secrecy.

In a powerful charge to fellow engineers, security expert Bruce Schneier urged them to fix the net that “some of us have helped to subvert.” Individuals must make a moral choice, whether they will side with secrecy or openness.

So must their companies. Google and Microsoft are suing government to be released from their secret restrictions but there is still more they can say. I would like Google to explain what British agents could mean when they talk of “new access opportunities being developed” at the company. Google’s response — “we have no evidence of any such thing ever occurring” — would be more reassuring if it were more specific.

This latest story demonstrates that the Guardian — now in league with The New York Times and ProPublica as well as publications in Germany and Brazil — will continue to report openly in spite of government acts of intimidation.

I am disappointed that more news organizations, especially in London, are not helping support the work of openness by adding reporting of their own and editorializing against government overreach. I am also saddened that my American colleagues in news industry organizations as well as journalism education groups are not protesting loudly.

But even without them, what this story teaches is that it takes only one technologist, one reporter, one news organization to defeat secrecy. At the length openness will out.

Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze? Inquiring minds want to know.

For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So by inference from the percentages, does that mean that the NSA is equal to 400 Googles? Better math minds than mine will correct me if I’m wrong.

Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.

Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data for the U.S. fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%. The NSA needn’t watch all those episodes of Homeland (or maybe they should) or listen to all that Cold Play — though I’m sure the RIAA and MPAA are dying to know what the NSA knows about who’s “stealing” what since that “stealing” allegedly accounts for 23.8% of net traffic.

HTTP — the web — accounts for only 11.8% of aggregated up- and download traffic in the U.S., Sandvine says. Communications — the part of the net the NSA really cares about — accounts for 2.9% in the U.S.

So by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net. That’s a fuckuvalota “touching.”

And, of course, metadata doesn’t add up to much data at all; it’s just a few bits per file — who sent what to whom — and that’s where the NSA finds much of its incriminating information. So these numbers are meaningless when it comes to looking at how much the NSA knows about who’s talking to whom. A few weeks ago on Twitter, I showed that with the NSA’s clearance to go three hops out from a suspect, it doesn’t take very long at all before this law of large numbers encompasses us all and our cats.

If you have better data (and better math) than I have, please do share it.